Posted by: David Harley | July 19, 2016

MacKeeper threatens young critic with a harassment suit

I haven’t checked out MacKeeper personally, but its name keeps coming up in various contexts, and not usually in a context that inspires confidence. And I can’t help but notice that many of the requests for advice I receive are from people using it.

Perhaps I should just repeat, more or less, something I said in an earlier blog:

The name has come up several times in comments directed towards Mac security sites like this one, Mac-related user forums and on various specialized lists, in the context of dubious malware alert pop-ups and aggressive marketing. I’ve never used or tested the product myself(and don’t intend to – as long as I’m getting a sizeable proportion of my income from a security product, I prefer not to return to formally testing other security products), I haven’t seen any of the behaviour of which the product is accused at first hand, and I obviously can’t in normal circumstances confirm the veracity or otherwise of accusations made in blog comments.

But apparently 14-year-old Luqman Wadood has been so outspoken that the company behind the product has threatened him with legal action over some videos he posted on YouTube.

Graham makes the very apposite point ‘I wonder if MacKeeper has ever heard of the Streisand effect?’ At any rate, there are a number of comments to his article at the moment that all seem to support Wadood’s position.

David Harley

Posted by: David Harley | July 15, 2016

Pokémon beGOne

[Also published on the AVIEN blog, slightly edited here.]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using theAndroid Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. Anyway, since the idea is already out there, it’s just as well to make (some) potential victims aware of the possibility. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

Posted by: David Harley | July 8, 2016

Ransomware and a rumoured Apple ID breach

[Also published on the AVIEN blog, where I maintain a ransomware links/information resource]

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

David Harley

Posted by: David Harley | July 7, 2016

Sweet: Nougat offers a lockscreen security nugget

Graham Cluley describes How Android Nougat will help protect your password from ransomware – New condition will partially prevent unwanted Android lockscreen password resets.  The new OS upgrade will change the resetPassword API so that it can set a lockscreen password, but can’t reset it.

Which means that the new OS won’t stop malware setting the password if the user hasn’t already set one. Which sounds like a pretty good extra incentive to set one if you haven’t already. However, it looks as though it will also stop security software from disinfecting an upgraded phone if it becomes infected.

Nougat (Android 7.0) is scheduled to be rolled out later this year.

I’ve posted some odds and ends of information on how ransomware affects various platforms on an AVIEN blog page here: Ransomware: Affected Platforms & Devices

David Harley

Posted by: David Harley | July 7, 2016

Bumper Bundles of Android Patches

Posted by: David Harley | July 7, 2016

A new trio of Mac malware…

…or two examples of malware and one of adware, if you don’t feel threatened by adware.

Decent article by Dan Goodin for Ars Technica: After hiatus, in-the-wild Mac backdoors are suddenly back – Three new pieces of Mac-targeting malware access webcams, passwords, and more.

The article discusses:

David Harley

Posted by: David Harley | June 20, 2016

iTunes ‘virus’ scam: Only (don’t) Connect

Graham Cluley writes for ESET that Scammers claim there is a virus in Apple’s iTunes database. He’s referring to a tweet by Fujitsu’s@Bry_Campbell quoting a scammer’s claim that victim’s must ‘re-validate’ their accounts due to a ‘virus’ in the database. In order to panic victims into complying, the scam message claims that this is the second message sent by the ‘Apple admin’, and that they must re-validate their account within 72 hours or lose their account permanently.

The link in the scam message goes to a phishing site masquerading as iTunes Connect. Clearly, the intention is to harvest sensitive information.

Graham points out that:

If you receive what you believe to be a phishing email purporting to be from Apple, the company asks that you forward it to them at, including the message’s full header information.

David Harley

Posted by: David Harley | June 7, 2016

What is and isn’t a virus

Every so often, someone tells me that their Mac is misbehaving and asks if it’s due to a virus. While I can’t usually say with absolute certainty that the cause isn’t some form of malware, it’s almost never a virus. In fact, while there were certainly viruses for Mac OS versions before OS X (though not very many), there is hardly any OS X malware that everyone would unanimously define as a virus, even in the anti-malware community.

There are other forms of malware that affect OS X, of course, though the numbers of specific programs and families are vanishingly small compared to the numbers that affect Windows users. And I imagine that the people who ask me this question think of any harmful program as being a virus, whereas security people usually think of viruses as being programs that self-replicate. But if you’re an everyday computer user, you probably don’t care about definitional niceties: you just want to be sure that some form of malware, whatever it may be called, isn’t about to make your life a misery.

Graham Cluley used to have a slide, if I remember correctly (and I expect Graham will put me straight if I don’t), that showed a virus at work. The slide looked something like this:

virus at work

I don’t know how many Windows users – let alone passionate Mac users – know or remember what a DOS prompt looks like, but back in the days before Windows became the standard for desktop/laptop users, many of used machines that ran the non-graphical operating system MS-DOS (or its sibling PC-DOS). And this more or less was what MS-DOS looked like when it was waiting for a computer user to tell it which program to run. (Just looking at this, I’m almost overwhelmed by the urge to type WS and see whether it launches WordStar. But it won’t, because I haven’t used WordStar in decades and certainly don’t have it installed on this machine.)

Graham’s point, though, was that while some viruses would give you some visual warning that they were present and operational – Cascade, for instance, did a disconcerting impression of letters falling to the bottom of your screen, while Ambulance used text characters cunningly combined to look like an ambulance running across the screen – you wouldn’t usually know most of the time that your system was infected because there would be nothing unusual to see.  (The Mac or Windows equivalent to the DOS prompt would be a desktop display looking absolutely normal…) At least, everything would look normal until the malware delivered its payload, which might be a more-or-less harmless visual display, but might be something altogether uglier. For example, SMEG.Pathogen displayed (among other things) the text

‘Smoke me a kipper, I’ll be back for breakfast…’

Unfortunately some of your data won’t!!!!!

In the Mac arena too, there was early malware that triggered with some destructive effect: some Sevendust variants, ChinaTalk, and Virus Info for example. (Fortunately, the macro viruses that swamped the Mac scene in the 1990s rarely affected Mac systems significantly: mostly they just passed through unprotected systems on their way to another Windows machine. There was also malware that affected the keyboard in some way: for instance, there was at one time a spate of 3rd-party keyboards with a Trojan horse embedded in a ROM chip that would insert the text Welcome Datacomp at random intervals, while NVP modified the System file so that no vowels could be typed. So when people wonder whether issues with the keyboard and random insertion or substitution of characters are virus/malware-related, they’re not being totally irrational. However, modern malware tends to be driven by profit or ideology rather than the urge to ‘play’ with someone else’s computer or cruelly destroy their data. Even the ransomware gangs are out to make some money rather than simply indulge their own destructive impulses. So anomalous keyboard behaviour is probably due to a hardware or system issue rather than malware.

So by all means ask me if you might have a virus, but be aware that

  • I don’t give this site nearly as much attention as I used to, so you probably won’t get an instant answer.
  • There’s too much malware around nowadays, even for Mac, for me to know what all of it does, especially if you don’t tell me what kind of Mac you have and what operating system it runs.
  • The days when I worked in Mac support are long gone, and I don’t have a battery of test machines to work from, or the ability to fix problems remotely. Unless there’s a really obvious answer to your problem, I’m not going to be able to talk you through a fix. In fact, we’re probably not going to talk at all except through email. You’ll probably get a quicker and hopefully more reliable answer from one of the many support forums for Mac user communities, such as the appropriate Apple support community Or a Genius Bar, if there’s one near you.

And I hate to mention it, but there is plenty of decent security software for OS X nowadays. At this point, I think it’s worth paying for a decent security suite. But I won’t compromise my reputation for impartiality by recommending one in particular.:)

David Harley



Posted by: David Harley | May 30, 2016

Tardy Android updaters: name and shame?

According to Bloomberg, Android chief Hiroshi Lockheimer described updating issues as “the weakest link on security on Android.”

It’s big news if Google will, in fact, be taking decisive action to address fragmentation and inconsistency in updating frequency across the huge range of Android devices.

David Harley

Posted by: David Harley | April 29, 2016

Some Android malware research links

IBM Security Intelligence offers an interesting summary of the Android malware scene – Mobile Malware Competition Rises in Underground Markets, by Limor Kessem.

For The Register, Darren Pauli comments – Screen overlay malware on the rise as bot scum battle for dominance: Tanking PC trojans turn VXers to Android – and also links to a FireEye article by Wu Zhou, Junyuan Zeng, Linhai Song, and Jimmy SuA growing number of android malware families believed to have a common origin: a study based on binary code.

David Harley

Older Posts »



Get every new post delivered to your Inbox.

Join 62 other followers